Shibboleth Developers

[Jim Fox <>]

(Keep in mind that I am not a java expert. Corrections to 
any misunderstandings here are welcome.)

The gist is that TLS has to be negotiated.  We are also using a
SASL mechanism on the LDAP servers.  The code corresponding to
JNDIDirectoryDataConnector.java, around line 220, looks like:

   LdapContext context = null;
   StartTlsResponse tls = null;
   try {
      context = new InitialLdapContext(properties, null);

      /* Start TLS */
      tls = (StartTlsResponse)
             context.extendedOperation(new StartTlsRequest());
      tls.negotiate();
      context.addToEnvironment(Context.SECURITY_AUTHENTICATION, "EXTERNAL");

      NamingEnumeration nEnumeration = null;
      ...

and there is a tls.close() later.  I can send you or the list either
the new plugin or a diff from JNDIDirectoryDataConnector if you like.

TLS is not SSL, but does get the principal name from the certificate,
so the xml elements for "security.protocol", "security.principal",
and "security.credentials" are not used.

In addition, as far as I can tell, the certificate properties
associated with TLS authentication, e.g., javax.net.ssl.keyStore,
are global and cannot be set on a per-connection basis.  I think
that's true even if the code does the setProperty, rather than
doing it by a JAVA_OPTS setting in tomcat.

I also encountered a conflict if I tried to connect to one LDAP
server with SSL and id/password auth and to a second LDAP server
with TLS auth.  The keystore property settings seemed to override
the password auth.  Having both LDAPs use TLS worked fine.

I'm using java 1.5.0.


Jim



On Wed, 15 Dec 2004, Walter Hoehn wrote:

> Date: Wed, 15 Dec 2004 13:13:04 -0600
> From: Walter Hoehn 
> <>
> To: Jim Fox 
> <>
> Cc: 
>
> Subject: Re: TLS to LDAP?
>
> Hi Jim,
>
> We certainly want to support this configuration.  Can you be specific about 
> what your connector had to do differently?  The shib-supplied JNDI connector 
> should be able to pass-through any property to the Sun ldap provider.
>
> -Walter
>
>
> On Dec 15, 2004, at 11:49 AM, Jim Fox wrote:
>
> > We want to allow our attribute resolver to contact a couple of
> > LDAP servers that use the TLS protocol - instead of simple SSL.
> > The stock JNDIDirectoryDataConnector did not appear to be able to
> > handle TLS, so we installed a custom connnector.
> >
> > Am I correct about this?  If there is a different way to do
> > TLS to an LDAP server somebody please tell me.  We also
> > authenticate with certificates, instead of passwords.
> >
> > Otherwise, TLS seems like a natural protocol to support.
> > The standard JNDI connector could easily be adapted to do so.
> > Might this be added?
> >
> > Jim